Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 31 replies
  • Answers 2 answers
  • Subscribers 34 subscribers
  • Views 145058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding Xbox Live Services to Xbox One Results 'Strict NAT'.

ChrisLynch

Happy New Year everyone.

I have 2 Business Rules setup on my brand new Sophos XG firewall (Firmware 15.01.0):

 

However, when I do various tests on my Xbox One, it always shows as "NAT Type: Strict".

The UDP Ports are 88, 500, 3074, 3544 and 4500.  TCP Ports are 88 and 3074.

I really wish Sophos would add uPNP support for situations like this.  Yes, I'm fully aware of the security implications of uPNP, but for home users (especially with multiple Xbox's like me), setting up Port Forwarding isn't a fun thing to do.

Am I missing something here?



This thread was automatically locked due to age.
  • 0 in reply to Big Ray
    Sorry that should of said Asus router NOT Ausus
  • 0 in reply to Big Ray
    Well - an advanced home user may also setup an ESX host (or Linux with KVM) and configure two VMs - one for Sophos XG and the second one for OpenWRT (x86) with UPnP daemon. This will be just one device ;-)
  • 0 in reply to Big Ray

    Sorry - could I trouble you to share more details regarding the policy you created? I've tried to create the policy you described, but can't seem to get it to work - can't install new apps/games or update existing ones - getting error 0X8007000e on the Xbox. Tried various combinations and permutations but can't quite seem to get it to work. Would prefer at this point not to do port forwarding...

    Big Ray said:

    Moving forward you don't need to do any 'port forwarding' for XBox to work in fact this setup would not work if you have multiple XBox consoles in the house. All you need to do is create a IP Host for the gaming boxes then create a new policy at the top and add your gaming IP Host's to it, disable HTTP & HTTPS scanning and set the 'web filter' to none and that's it. I have 3 XBoxes here that work great with this configuration. And yes they have all been on at the same time.

  • 0 in reply to Timothy Stewart

    Hmmm. Was trying to setup a rule along the lines that you and Big Ray had mentioned, but don't seem to be having much luck. I've included a screenshot of the policy I created. Would it be possible to trouble you for your thoughts as to what I might be doing wrong?

     

    Just create a bypass rule for your Xbox and use NAT. I did on mine and not sure why this won't work in your situation. Even if you get port forwarding working the way you like, eventually you are going to run into an issue with Netflix and other streaming services not connecting if you are scanning for malware on your default network policy.

     

  • +1 in reply to dma0

    Hi dma0,

    what you need is a LAN to WAN policy instead. 

     

    Source Zones

    • LAN
    Add New Item 
    Source Networks and Devices
    • XboxOne
     
    During Scheduled Time
    All the Time 
     
    Destination & Services
    Destination Zones
    • WAN
    Add New Item 
    Destination Networks
    • Any
     
    Services
    • Any
     
    Br, 
    Sascha
  • 0 in reply to SaschaOdenthal

    Thanks very much Sascha. As it turns out I found this same solution suggested on another thread. I suppose I still need to get my head around how rules work in XG, as it seems to take a somewhat different approach as compared to UTM9.

    This solution worked perfectly, though my preference would have been to try to limit to the specific ports required (which I tried based on the ports identified on the XBox site, but which didn't seem to work).

  • 0 in reply to Big Ray

    Hi Ray,

    I am new to Sophos and I'm having the same issue with Xbox, FiOS VoD and Roblox. When you say, create a new policy, are you referring to a firewall rule?

    Thanks for the help.

  • 0 in reply to Timothy Stewart

    Could you provide more detailed instructions on how to create a bypass rule for xbox?  I just started with Sophos and cannot figure out how to do this from documentation.  I use a second LAN (DMZ) to isolate my wireless mobile devices and gaming consoles from my primary LAN on Sophos.  I use my old Asus RT-N16 for on DMZ LAN for wireless connection to internet.

  • 0 in reply to Big Ray

    I just started trying to replace my ASUS RT-N16 router with Sophos UTM (very new to Sophos).  I built a 2nd LAN (DMZ) on my Sophos UTM to handle my wireless mobile devices & gaming consoles to isolate them from my primary LAN.  I built IP Hosts for 2 Xbox's. But I can not figure out how to "create a new policy at the top and add your gaming IP Host's to it, disable HTTP & HTTPS scanning and set the 'web filter' to none" that you recommended below.

    "Moving forward you don't need to do any 'port forwarding' for XBox to work in fact this setup would not work if you have multiple XBox consoles in the house. All you need to do is create a IP Host for the gaming boxes then create a new policy at the top and add your gaming IP Host's to it, disable HTTP & HTTPS scanning and set the 'web filter' to none and that's it. I have 3 XBoxes here that work great with this configuration. And yes they have all been on at the same time."

    Can you please provide me more detailed instructions on how to do your recommendations above?

    Thanks very much for your help.

  • 0 in reply to Clark

    I’m currently running V17-MR1 on my home network and seeing Moderate and Open NAT when I test NAT from the XBox settings. I noticed when I try to test it the first time, it says Moderate NAT but if I test again within a couple minutes of the first test, it says Open NAT. If I wait longer than a couple minutes, the test result will be Moderate NAT again. I tried a quick match making in Destiny 2 and it seemed to have no issues. What I did was:

    - Create a MAC Host for my XBox One called “XBox_One”.

    - Create a firewall rule with Source: “LAN”, “XBox_One”; Destination: “WAN”, “Any Host”; turned off all scanning, IPS and all policies set to ‘None’.

    I tried port forwarding all of the recommended ports but the NAT test results were the same as I mentioned above. I only have one XBox in my house.